Openshift UID not working

[plagerweij]

What happened?

In Openshift, the standard SCC restricted-v2 forces you to run containers with a high UID (e.g. 1000930000). This causes a failure in the package-runtime container, because it has a /tofu directory hardcoded to UID 2000 with no permissions for other:

provider-opentofu/cluster/images/provider-opentofu/Dockerfile

Line 18 in 86a86f8

&& chown -R 2000 /tofu

As a result, the provider cannot create workspaces and fails with:

"error": "cannot make tofu configuration directory: mkdir /tofu/... permission denied",
"errorVerbose": "mkdir /tofu/... permission denied cannot make tofu configuration directory"

In my organization we cannot use a different SCC.

How can we reproduce it?

Create a workspace on any modern Openshift or OKD cluster with restricted-v2 SCC and enable debugging in the package-runtime container.

What environment did it happen in?

Crossplane v1.20.0
Provider Opentofu v0.2.6
Openshift v4.16.42

[kevinetore]

Perhaps it helps anyone, but in order to make it work I've developed a Kyverno policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-anyuid-to-crossplane-opentofu-sa
spec:
  rules:
    - name: grant-anyuid-to-crossplane-opentofu-sa
      match:
        resources:
          kinds:
            - ServiceAccount
          names:
            - "provider-opentofu-*"
          namespaces:
            - "crossplane"
      generate:
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        name: "{{request.object.metadata.name}}-anyuid"
        synchronize: true
        data:
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:openshift:scc:anyuid
          subjects:
            - kind: ServiceAccount
              name: "{{request.object.metadata.name}}"
              namespace: "{{request.object.metadata.namespace}}"